|Publication Date | Version
|September 13, 2023 | 1.0
|Personal Data, Data Principal, Consent, Notice, Data Fiduciary, Data Processor,
The Parliament of India passed The Digital Personal Data Protection Act, 2023 (‘Act’) on August 11, 2023. The Act recognises the right of individuals to protect their personal data and the need to process such personal data. This write-up enquires into the manner in which personal data is to be shared by an individual while also discussing the manner in which entities may process this personal data.
Given that the concepts of privacy and data protection are nascent, it would take some time for the legal framework in this regard to develop. Therefore, this write-up also identifies certain aspects concerning data protection that must be addressed going forward. Specific issues are likely to be addressed in the rules to be made by the Central Government under the Act and new legislations that may be introduced, such as the much anticipated Digital India Act.
The Act and Applicability
The Act applies to the processing of digital personal data within the territory of India where the personal data is collected:
- In digital form; or
- In non-digital form and digitised subsequently.
The Act is also applicable to digital personal data being processed outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.
The provisions of the Act shall not be applicable to the processing of personal data by an individual for any personal or domestic purpose. The Act is also not applicable to personal data being made or caused to be made publicly available by:
- The Data Principal to whom such personal data relates; or
- Any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
There are several questions to be asked and answered concerning applicability. Such as;
- Situation: Personal data of X is processed outside India in respect of services rendered to X, who is ordinarily resident in India but at the relevant time is travelling outside India. Would the Act apply to X’s digital personal data, which is being processed outside the territory of India?
- The meaning of ‘publicly available’? Would information shared in a closed WhatsApp group constitute ‘publicly available’? Similarly, would information sent via broadcast over WhatsApp (where the sender can select the recipients) constitute ‘publicly available’?
A Data Principal is an individual to whom the personal data relates. Unless an exemption under the Act (or the rules which are yet to be framed) is available, the consent in writing of the Data Principal is required to be obtained by the Data Fiduciary for processing their personal data.
In the case of children, the parents or the lawful guardian, and in the case of a person with disability, the lawful guardian is considered to be the Data Principal.
A Data Principal has the right to:
- Know from the Data Fiduciaries, a summary of personal data being processed and the processing activities being undertaken.
- Know the identities of Data Fiduciaries and Data Processors.
- Require the Data Fiduciary to undertake correction, completion, updation and erasure of personal data.
- Grievance redressal mechanism which is required to be established by the Data Fiduciary and the Consent Manager.
- Nominate an individual on its behalf (in the event of death/incapacity).
X, an individual registers themselves on a poker platform and provides personal data to the poker platform. X is also redirected by the website to a third-party portal for making deposits. X incurs heavy losses and makes multiple deposits. X resolves not to get lured to the platform. But then, X receives several SMS notifications with deposit offers, and temptation gives way. X plays poker again on the platform and loses yet again!
X had given their consent to process their personal data regarding accessing the poker platform to play and nothing more.
Unknown to X, his losing record is being processed and tracked, which is why they were selected for the SMS notifications. X is entitled to require the poker platform operator to share a summary of the personal data being processed and the processing activities being taken.
A Data Principal has a duty to:
- Comply with applicable laws while exercising rights under the Act.
- Not impersonate another person.
- Not suppress any material information.
- Not register a false grievance.
- Furnish verifiably authentic information.
X, an individual registers themselves on a poker platform and, in the process, provides personal data to the poker platform. X is also redirected to a third-party portal by the website for making deposits. X makes a massive profit playing on the platform.
X’s father comes across his bank account statement and informs him that such massive profits would attract a heavy income tax.
To get information regarding the TDS deducted by the poker platform, X writes to the poker platform operator, claiming to be an officer in the Income Tax Department. While X is entitled to access the information regarding TDS deduction, he cannot exercise such rights by impersonating another person.
A Data Fiduciary is a person (alone or in conjunction with others) who determines the purpose and means of data processing. A Data Fiduciary may continue to process the Personal Data of the Data Principal until she withdraws their consent.
A Data Fiduciary may also engage Data Processors for processing personal data obtained from the Data Principal. However, the Data Fiduciary shall remain liable for all Data Processor acts for personal data processing.
A Data Fiduciary has the following obligations:
- To obtain consent to process data only for specified purposes or legitimate uses.
- To give notice to the Data Principal in respect of personal data and purpose, and the burden of proof in this regard lies with the Data Fiduciary.
- Ensure completeness, accuracy, and consistency of personal data.
- Protect personal data and take reasonable security safeguards to prevent personal data breach.
- Publish contact details of authorised persons to respond to communications from the Data Principal.
- Implement appropriate technical and organisational measures to ensure effective observance of the provisions of the Act.
- Establish a grievance redressal mechanism for the Data Principal.
- Erase or cause the Data Processor to erase personal data if consent is withdrawn or if the purpose for obtaining consent has been served.
- Comply with retention requirements and Central Government instructions in respect of personal data.
- Intimate the Data Protection Board of India (‘Board’) and Data Principal of any personal data breach.
- Correct, complete, and update personal data upon the request of the Data Principal.
- To give notice for consent in respect of personal data obtained from the Data Principal before the enactment of the Act.
A Data Fiduciary may process the personal data of a Data Principal for any of the following uses (which are considered legitimate use), namely:
- Specified purpose for which personal data has been provided voluntarily by the Data Principal.
- For the State (or its instrumentalities) to issue subsidy, benefit, service, certificate, license, or permit where either consent has been given previously or such data is available in the public domain, subject to standards and policies issued by the Central Government.
- For performance by State (or its instrumentalities) for any function under any law.
- To fulfil any obligation under any law.
- For compliance with any judgement or decree or order issued under any law for the time being in force in India, or any judgement or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;
- In response to a medical emergency or to provide medical treatment/health services.
- For safety measures during any disaster or breakdown of public order.
- For employment purposes or safeguarding the employer from loss or liability.
A Data Fiduciary may make a Request for Consent to the Data Principal accompanied or preceded by a notice to the Data Principal. The Data Principal has the option to access such notice in English or any of the 22 languages specified in the Eighth Schedule of the Constitution of India (Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Nepali, Oriya, Punjabi, Sanskrit, Sindhi, Tamil, Telugu, Urdu Bodo, Santhali, Maithili and Dogri).
The notice shall inform the Data Principal in respect of the:
- Personal data being obtained and purpose.
- Manner of exercising rights.
- Manner of making a complaint to the Board.
- Contact details of authorised person to respond to Data Principal communications.
The Rules in respect of such a notice are yet to be notified by the Central Government.
The Act also introduces the concept of a Consent Manager. Under the Act, a Data Principal may have their consent managed by a Consent Manager who is “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.” The Consent manager acts on behalf of the Data Principal and instructs the Data Fiduciary. Therefore, the Consent Manager is accountable to the Data Principal. The duties of the Consent Manager involve:
- Responding to grievances of the Data Principal.
- Enables the Data Principal to give, manage, review and withdraw consent.
The rules concerning the manner of registration and obligations of the Consent Manager are to be framed. The rules are expected to answer questions such as the relationship matrix among the Data Principal, Data Fiduciary and Consent Manager, and registration of Consent Manager with the Board.
The Act defines ‘processing’ to mean: “in relation to personal data to mean a wholly or partly automated operation (or set of operations) performed on digital personal data, and includes operations such as collection, storage, retrieval, use, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.”
The Act states that personal data may be processed for the specified purpose “for which the data principal has provided free, specific, informed, unconditional and unambiguous consent with a clear affirmative action, thus signifying an agreement to such processing for a specified purpose (where processing is limited to the data necessary for such purpose)” and legitimate uses (as specified above).
Given that consent for processing is obtained by the Data Fiduciary, the Data Fiduciary is held accountable for the processing of personal data being provided to them. However, a Data Processor may also process the personal data on behalf of the Data Fiduciary. In this respect, it is the duty of the Data Fiduciary to:
- Have in place a valid contract with the Data Processor for such processing of data.
- Ensure that any personal data made available to the Data Processor by the Data Fiduciary for processing be erased unless data retention is necessary for compliance with any law for the time being in force.
- Ensure that the identity of the Data Processor is shared with the Data Principal, along with a description of the personal data.
Provisions of the Act do not apply to:
- Processing of personal data by such instrumentality of the State as the Central Government may notify and processing of such data by Central Government as furnished to it by such instrumentality.
- As stated above, operations such as storage also form a part of the term ‘processing’.
- It is unclear why the provisions regarding securing the storage of personal data do not apply to such instrumentality of the State as the Central Government may notify.
- Processing of personal data ‘necessary’ for research, archives or statistical purposes to the extent it is not used to take any decision specifically for the Data Principal.
- Ideally, this personal data should be stripped of all information that may help identify the Data Principal and should be anonymised. The provisions with respect to securing the storage of personal data should still be applicable. Access to such data shall be restricted to only authorised personnel.
- It may be pointed out that under the General Data Protection Regulation, 2016 anonymous data is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable” Datasets/statistics being developed may contain identifiers, either direct or indirect, which might reveal the identity of the Data Principal. In some instances, even pseudonymised data may be used to deduce the identity of the Data Principal.
The Central Government may also notify, depending on the volume and the nature of personal data being processed, certain Data Fiduciaries and Significant Data Fiduciaries (including startups) to whom provisions in respect of the following shall not apply:
- Request for notice to obtain consent.
- The obligation of the Data Fiduciary to ensure completeness, accuracy and consistency of personal data where the personal data being processed by the Data Fiduciary is likely to be used to make a decision that affects the Data Principal or is disclosed to another Data Fiduciary.
- The obligation of the Data Fiduciary to erase (or cause the Data Processor to erase) personal data upon withdrawal of consent by the Data Principal or upon the purpose being served.
- Rights of the Data Principal to access information about the personal data.
Obligation of a Data Fiduciary (except obligations under the Act in respect of the processing of data and protection of data); the rights and duties of a Data Principal; and Central Government restrictions on data transfer for processing outside India shall not be applicable in the following cases:
- Where it is necessary to process data to enforce a legal right or claim.
- Where it is necessary to process such data for discharging functions by courts, judicial and quasi-judicial bodies.
- Where it is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.
- When there is a contract by a person based in India with a person outside the territory of India to process data (within the territory of India territory) of Data Principals outside the territory of India.
- Where the processing is necessary for mergers and acquisitions, corporate restructuring etc.
- Where processing is undertaken to know financial information of any person who has defaulted in payments due to Financial Institutions.
When the State or any of its instrumentalities is processing data, the following provisions shall not apply:
- Obligation to erase personal data pursuant to request made by Data Principal.
- Obligation to erase data upon Data Principal withdrawing consent or if the specified purpose is no longer being served and causing the Data Processor to erase personal data.
- If data is being processed for a purpose that does not include a decision that affects the Data Principal, the provision regarding any request by the Data principal for correction, completion, or updating should not apply.
Under the Act, both the Consent Manager and the Data Fiduciary are required to have in place appropriate mechanisms to address the grievances of the Data Principal. The Data Principal shall exhaust the opportunity of redressing her grievance before they approach the Board established by the Central Government.
Recourse to Board
The Board has the power to inquire or direct any urgent remedial/mitigation measures in the following cases:
- On a complaint by the Data Principal,or under Central or State Government reference, or under directions of the Court.
- On a complaint by the Data Principal in respect of a breach of registration requirements or obligations by the Consent Manager.
- On a reference by the Central Government regarding a breach by an ‘intermediary’. Under the Information Technology Act, 2001, an ‘intermediary’ is “any person who on behalf of another person receives, stores or transmits an electronic record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes“.
In all the above cases, the Board has been granted the power to issue directions and/or impose penalties as specified under the Schedule after giving the other person an opportunity for being heard. The Act also permits the Board to direct the parties to mediation as well.
The Appellate Tribunal
Any individual aggrieved by the decision of the Board may appeal to the Appellate Tribunal within 60 days of the directions/order issued by the Board. The Act defines ‘Appellate Tribunal’ as “the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997.” Under the Act:
- The Appellate Tribunal may entertain an appeal even after 60 days if there is sufficient cause for not preferring that appeal within 60 days.
- The Appellate Tribunal may pass orders and send a copy of every order to the Board.
- The Appeal has to be disposed of within six months, and if not, then the Appellate Tribunal must record reasons for the same.
- Provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 shall be applicable for appeal against the orders of the Appellate Tribunals.
What Lies Ahead
Under the Act, The Central Government is empowered to make rules not inconsistent with the provisions of this Act to carry out the purposes of the Act. There are certain matters where specific reference to rules is made, and it is expected that the Central Government would, in due course, make rules in respect of such matters, which include:
- The manner in which the Data Fiduciary shall send the notice for the consent of the Data Principal, which shall inform about the personal data and the purpose for which it shall be processed.
- The manner in which the Data Fiduciary shall give the notice to the Data Principal in the event where the Data Principal has given her consent before the commencement of the act.
- The manner in which the obligations and accountability of the consent manager are performed with respect to the Data Principal.
- The manner in which the Consent Manager shall be registered with the Board.
- The manner and form in which the Data Fiduciary shall inform the Board and affected data principal in the event of a personal data breach.
- The standards according to which the personal data shall be permissible for processing for research, archiving or statistical purposes.
- The procedure which the Appellate Tribunal shall follow while dealing with an appeal.
As and when the rules are framed under the Act, several issues will likely be addressed, and new ones will likely arise.
- As an individual, it is essential to be mindful of the information that is being divulged in the public domain. It is important to note that personal data shared in the public domain falls outside the ambit of the Act, and thus, no protection is afforded under the Act to an individual with respect to such personal data.
- Businesses need to examine the extent to which the Act may be applicable to their operations. In most cases, a business house would be a data fiduciary concerning certain personal data and a data processor concerning customer-facing data. Personal data must be handled so that the business is equipped to safeguard the use and processing of personal data in the manner required by the Act.
It follows that there is a need for organisations and businesses to monitor the chain of custody in respect of personal data.
- The manner in which personal data is to be ‘erased’ following the exercise of rights by a Data Principal under the Act needs to be addressed effectively. While the Act grants an individual the right to have the Data Fiduciary erase all the personal data relating to the Data Principal, the intricacies of the 21st-century storage systems, protocols, and interdependencies make it a herculean task to guarantee the complete erasure of the personal data. The rules under the Act should establish robust standards, technical measures, and time frame to ensure that personal data is removed effectively.
- Clarity is required with respect to the processing of data ‘outside the territory of India’ if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India, as discussed above.